Why CAPTCHA Is Evil And Must Die

I have complained about CAPTCHA as a security measure many times around these parts, but that doesn’t stop some of the biggest players in the market continuing to use annoying and often unreadable CAPTCHA security (yes, I’m looking at you, Google, your CAPTCHA sucks to a level arguably only matched by Optus). A new Australian campaign against CAPTCHA highlights a crucial point: they suck badly and waste time for most people, but they register large swathes of the internet actually unusable for the vision-impaired.

CAPTCHA is familiar to many of us in the form of on-screen messages asking for a sequence of letters to be typed, and in theory means that systems can prevent registration by non-human automated systems. In reality, it usually means swearing repeatedly at the screen because the characters you can see are unreadable and you’re wasting time trying to sign into a service you already use. (Again, Google, thanks for nothing.)

The Australian Communications Consumer Action Network (ACCAN) is spearheading a campaign to push for organisations in Australia to abandon CAPTCHA in favour of more accessible alternatives. ACCAN has partnered with Blind Citizens Australia, Media Access Australia, Able Australia and the Australian Deafblind Council for the initiative, which includes an online petition opposing the use of CAPTCHA.

While online petitions are often pointless, there’s an important message here for developers: don’t use CAPTCHA. The W3C proposes several less discriminatory alternatives, including more effective back-end system checks and the use of logic puzzles. Audio versions aren’t necessarily a solution, since these often prove just as hard to comprehend as the visual versions.

ReCAPTCHA is crowd-sourcing the difficult part of OCR for printed texts. There are always two words in a ReCAPTCHA CAPTCHA but only one is the actual passcode. The passcode always has the same font and is distorted in a similar way each time, and is typically not a real word; the non-passcode will usually be a real word or perhaps number, but will be in a random font and have quite unusual distortions.

It doesn't matter what you enter for this second word (although it can be placed first or second in the CAPTCHA). Try it out for yourself! Sometimes I troll ReCAPTCHA for teh lulz by putting in something completely wrong for the second word. But mostly I think it's an ingenious way of getting the mostly-compliant masses to help machines be much better at text recognition.

"This negates your entire argument about visually impaired people,"
Not necessarily..
How does the blind person know where the cursor is to move the cursor to the little speaker Button (How do they know where on the page the speaker button is?) to hear the CAPTCHA.

"surely their NDIS paid carer can help them use the web"
Yeah, that's great for the 1 hour that they're around, The best bit about the internet is how you can browse to a certain point and then have to wait 23 hours for your carer to come back to progress!

Using the accessibility tools. Those tools open programs, read text, read the ALT for Image tags, insert spoken words into forms, follow links. They do not know where the little speaker icon is on the CAPTCHA

Using a screen reader, they can tab through interactable parts of the DOM. Fire up NVDA and try and browse a page with a CAPTCHA. If it's been done correctly, it should be straight forward.

But not all CAPTCHA have been created with this in mind. In fact, I haven't found one that works out of the box yet. Most require a tweak or two to get working perfectly (tabindex is usually the culprit)

CAPTCHA is inaccessible due to the fact that alot of the ARIA attributes aren't included in the DOM for the buttons. Yes, they have a "speak this" button, but navigating to it isn't as intuitive as it should be. It can be improved - I've done it in the past - but it's a lot of work to take the stock CAPTCHA and make it AT friendly - Try using NVDA alongside chrome, and you'll see the issues.

The audio version is, in fact, mentioned in the final paragraph. While being a bit difficult is in the very nature of capchas, the audio versions can be kind of unpleasant to use. I've had blind people ask for help with the visual captchas on more than a few occasions when the audio captcha was either indecipherable or just plain not working.

Captchas are genuinely hard to replace in some situations, and I doubt we'll ever get rid of them completely. The problem is that they're just so easy to implement they're horrifically overused.
You could spend a while coding up a trust-based solution for your forum (new users get run through a bayesian filter and then moderated for their first few posts, have to achieve x amount of posts/karma before posting links or private messaging is allowed, etc) or you could put in a captcha. Most people will choose the captcha.

Google doesn't misuse captchas too badly themselves, they usually only throw them at you after you're already showing signs of being a machine (try signing in and out of three or for google accounts within 15 minutes and watch the trigger go off).

For now it's a necessary evil. After your site discussion boards gets bombed the first time, domain blacklisted and you have to clean up thousands upon thousands of emails and posts you soon realise that captcha is a very simple way to solve the bot vs. human thing that anyone can implement because there's a million plugins for your wordpress, joomla, drupal, nuke, umbraco (insert name of favourte cms platform here) sites that are increasingly being built and run by users that have zero clue about development and zero clue about running a publicly accessible server. Until reliable alternatives exist, it'll stick around. I've long advocated customers use SPF but don't because it's too hard and they like to spoof the address of the person filling in the form when sending confirmations from online forms, which then get used by various bots and end up sending out hundreds of thousands of viagra ads.

A decent captcha isn't as pedantic as some of the commenters seem to thing. reCaptcha is ugly as hell, you have no argument from me, but it is really lenient on the 2nd word, which is usually the more obscure. If it looks like a 3/B/8 or Il1| it'll almost certainly accept any of them so just write the first thing you think it is instead of staring at it for extended periods of time and stressing about getting it wrong.

I think the bigger crime is super long online forms that take forever to fill in, and then when you get the captcha wrong you have to fill them in all over again from scratch.

Possibly worse than CAPTCHA are the form programmers who delete or reset fields each time you fail the test. (Or similarly delete and reset fields when you don't fill out all the compulsory fields, which are often not correctly marked.)

I'd like to point out that 'logic puzzles' aren't necessarily a more accessible solution, as you're then just increasing the barriers to use for people with cognitive impairments, low literacy levels and so on (depending on the type of logic puzzle chosen).

CAPTCHAs are just a plain bad idea more often than not - best case scenario they're a mild annoyance for your users, worst case you're actively excluding people. Nine times in ten there's a more appropriate solution, and these are what should be used.

PS: On some of the other comments here - try telling the potential client who can't use your website that they're doing humanity a great favour by transcribing lost tomes of wisdom every time they get forced to try one. I'm fairly certain they won't be thanking you for providing the opportunity to be part of such a magnificent endeavour.

When your company is your IP and your IP can be derived from your website, you want to protect it at all costs.

Either a company spends hundreds of thousands of dollars to implement some traffic analysis software to try and weed out spammers and bots, which is not always effective, or we implement a Captcha to try and mitigate it further.

No company wants to use a Captcha, but as long as there are spammers and bots, it will be necessary.

I suggest that the reason you're not seeing specific alternatives identified is because there's no specific use case identified.

Depending on how offensive the CAPTCHA is, I'd generally suggest better alternatives include:
* doing nothing and dealing with exceptions as needed (rather than having a CAPTCHA for the fun of it, based on the assumption that there's a flood of bots just waiting for you to foolishly lower your guard)
* account verification by emailed link (sign-up CAPTCHAs), or more recently by SMS
* IP blocking after an established traffic threshold is passed; and
* blacklisting the usual garbled English meets URL mash-ups that are prevalent in most spam.

Of course none of these are perfect, but then neither is a CAPTCHA so I suppose that makes them comparable solutions. As an added bonus, all of the above have pretty much no chance of annoying actual users, or outright denying them access.

You're also wasting your time trying to "protect" anything by CAPTCHA, given that there are now industries of people waiting to solve these things for a couple of dollars per thousand. At best you're deterring casual abuses, which again can equally be addressed through any of the above approaches.

What's even more frustrating is that this Captcha is so tremendously broken that the times you can actually read what it says and you copy the text correctly, it tells you it's incorrect! FUDGE YOU CAPTCHA!